Security Mavens Invaded by Trojan

Michelle Delio
02.01.01

Reader's advisory: Wired News has been unable to confirm some sources for a number of stories written by this author. If you have any information about sources cited in this article, please send an e-mail to sourceinfo[AT]wired.com.

A popular Web discussion board in which the subject is computer security became the unwitting host of an attack program directed at security consultant firm Network Associates Wednesday night.

A cracker posted to the Bugtraq board what he said was a script -- computer code that would allow people to take advantage of a recently discovered hole in BIND, the software that pushes information across the Internet.

But if someone downloaded and ran the posted script, it instead launched a denial of service attack against Network Associates (NAI) by sending packets of garbage information in the hopes of overwhelming the firm's servers.

But since Network Associates had already patched the hole, its website's performance wasn't adversely affected.

"We have determined that a distributed denial of attack was directed at NAI last night," an NAI spokeswoman said, "but no penetration to the corporate network took place. We are continuing to investigate the origin of this attack."

NAI was the first to raise the alarm over the BIND exploit, and Bugtraq spokesperson Elias Levy said he assumes that the attack was intended to see if NAI had practiced what they preached and patched the hole.

Levy said he has been in contact with NAI since the Trojan horse was discovered and said the company hasn't reported any attacks or problems to him.

"That script came in pretty late last night," Levy said. "And actually we took a good look at it, because it appeared to be a pretty complete exploit and it was posted from an anonymous remailer. But due to the lateness of the hour, we didn't decompile the code contained in the message, which would have revealed it was a Trojan."

Instead, Levy said, Bugtraq forwarded the message to Network Associates for its opinion and input.

"NAI confirmed it was a valid exploit, and we went ahead and posted the information to Bugtraq," said Levy. "They obviously didn't decompile the code either, or they would have realized it was a Trojan that was aimed at them."

"The supposed script was actually a Trojan, and I'd bet a bunch of people grabbed it. Some would have known what it was and figured they could play with it and alter it to their own needs, and others would have just innocently ran it," said "Taltos," who identifies himself as a computer cracker, but added he had nothing to do with "this particular Trojan."

Trojans are computer programs that purport to do one thing while concealing their true and nasty nature under layers of code.

Levy said there was no way of telling how many people may have downloaded the Trojan, although he said the Trojan was revealed by Bugtraq users "fairly early on."

He also noted that Bugtraq has no intention of removing the message from its archives.

"The archives are the history of Bugtrak. We don't like to pull things out," Levy said. "And it's important to note that we make no claims for any of the information that is posted on our boards; we assume that people will read the rest of the message thread, and use their common sense."

Matt Lewis, the first to discover the Trojan, noted that it "attacks dns1.nai.com.... it forks off many copies of itself and violently attacks NAI's name server."

Lewis also said "there's quite possibly other things going on as well, locally," pointing to the possibility that the Trojan wasn't solely aimed at NAI.

Although no one has yet reported any problems with their own machines, some said the script does have the potential to launch distributed denial of service attacks against the computer that hosts it.

"Looks like there's some potential for more nastiness there," Taltos said.

There is no way to know how many people may have downloaded the Trojan. But since interest in information about BIND exploits is high, it can be assumed that "more than a handful of people had a peek," Taltos said.

BIND is a program that translates the domain names of Internet URLs into numbers so that servers can understand where Net surfers wish to go.

BIND is used by the vast majority of servers on the Internet, and the holes discovered in BIND allow an attacker to remotely control any machine running an unpatched version of BIND.

Therefore, any information on how to exploit the hole would be very interesting to both crackers and security experts, who Taltos said have combed discussion boards and websites looking for information on the hole.

The BIND hole is considered a crucial problem.

"These vulnerabilities have the potential to take out big chunks of the Internet," NAI's Jim Magdych said in the firm's announcement originally detailing BIND's vulnerability.

A patch was released last weekend, just prior to the public announcement that a hole had been found by Network Associates in December. NAI had alerted the Internet Software Consortium, which maintains BIND.

The Internet Software Consortium in turn alerted the administrators of large networks, and kept them posted on the progress of the patch.

By the time the announcement was made to the general public on Monday, the patch was available.

"This is standard practice with serious holes," Taltos said. "There's no sense in telling people that they can do evil things until you at least have a fighting chance to stop them from doing them."